Events in the recent past have highlighted the need for real improvements in the area of vulnerability coordination. Historically, foundational work on best practices, policy, and process for vulnerability disclosure have focused on bi-lateral coordination and did not adequately address the current complexities of multi-party vulnerability coordination. Factors such as a vibrant open source development community, the proliferation of bug bounty programs, third party software, and the support challenges facing CSIRTs and PSIRTs or bug bounty programs are just a few of the complications. Examples such as Heartbleed highlight coordination challenges.
The Industry Consortium for Advancement of Security on the Internet (ICASI) proposed to the FIRST Board of Directors that a Special Interest Group (SIG) be considered on Vulnerability Disclosure. After holding meetings at the FIRST Conferences in Boston in June 2015, ICASI formally requested FIRST to charter a SIG to review and update vulnerability coordination guidelines
In March 2016, the National Telecommunications and Information Association (NTIA) convened a multi-stakeholder process to investigate cybersecurity vulnerabilities. One of the efforts within this process focused on multi-party coordination. In June 2016, the NTIA multi-party effort joined the similar effort underway within the FIRST Vulnerability Coordination SIG. This combined effort has produced a document that derives multiparty disclosure guidelines and practices from common coordination scenarios and variations. Subsequent work will address bi-lateral coordination and approaches to notification.
The first version of the Guidelines and Practices for Multi-Party Vulnerability Coordination and Disclosure was published on Summer, 2017. It is available both in web format and as a PDF. Input on the document continues to be welcomed at firstname.lastname@example.org.
A provisional draft of Guidelines and Practices for Multi-Party Vulnerability Coordination has been published. The public comment period is closed and the SIG has since released an initial version of the Guidelines and Practices.